Read the entire article in Feb, 2014 edition of SC Magazine
“While used every day, the term “security” can be deceptively difficult to define and may contain various meanings to different people in divergent contexts. The industry at large seems to have adopted a stance of “I know it when I see it,” as opposed to objectively defining the concept. Unfortunately, this creates numerous problems for those who have a need to ‘secure’ data, or any other asset.
For more than two decades, I have served in a number of security functions, and have found it curious that in each industry or domain few, if any, people were able to provide a clear definition of the term ‘security’. Many could describe the concept and list characteristics, but nobody could provide an actual definition that could be used to objectively measure whether a building, system, person, or other asset was or was not secure. ” Read The Rest of the Article Here
Originally posted on GlobalRiskInfo February, 2012.
In light of the recent disclosures of breaches of major security technologies and vendors, I felt compelled to write this post. One of my favorite subjects to debate (and argue over) is security theory in general, and specifically the topics of vulnerabilities & exploits. They are concepts that are critical in the fields of information security, risk management and other areas of security. In truth, the concepts extend beyond IS but they are very common in the IS World and easier, in my opinion, to discuss in the context of IS. So what are exploits & vulnerabilities and why are they important?
First, we need to understand that there is no “guaranteed security” and security can never be 100% as there are always vulnerabilities which can be exploited. We may not have identified them yet, but they do exist. Given enough time, effort, and the right tools, any security control can be circumvented. Security should be viewed as a function of time and effort. (this will be discussed below) Second it is important to understand that the concepts of exploits and vulnerabilities are inextricably entwined and are mutually dependent. This is where the debate begins so first lets get a working definition of the terms. Continue reading
Thanks for visiting the HOG’s blog on Security! This site is a complement to the GlobalRiskInfo site but is solely focused upon providing insight and education on the concepts of security, risk and compliance. Having worked in numerous security domains for over 20 years has provided me with valuable insight into the concepts and underpinnings of security. Whether we are talking about physical security, operational security, information security or cybersecurity, the basic concepts remain the same. This blog will focus on the more esoteric, yet important, concepts of proximate reality, deterrence & compellence, parallax and convergence, threats & vulnerabilities, risk, and more.